Page 1
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
Stealing From the States: China’s Power Play in IT Contracts US State Governments’ Failure to Scrutinize the Purchase of Lenovo and Lexmark Equipment Jeopardizes Data Security
Edited: 3/16/2020
Page 2
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
Stealing From States: China’s Power Play In IT Contracts
State Governments’ Failure to Scrutinize the Purchase of Lenovo and Lexmark Equipment Jeopardizes Data Security
TABLE OF CONTENTS
Executive Summary: ..................................................................................................................1
Background: ...............................................................................................................................2
Danger Ahead: China’s 2017 Internet Security Law ................................................................3
Military and Intelligence Bans of Lenovo and Lexmark Products ..........................................3
Lenovo’s Chinese Communist Party Connections and Suspect Product Insecurities ........4
Lexmark’s Chinese Communist Party Connections and Suspect Product Insecurities ......6
States Have No Standard Process to Evaluate Insecure Technology ...................................7
Case Study 1 – Lenovo in Wisconsin ..................................................................................... 11
Case Study 2 – lexmark in arkansas ....................................................................................... 12
Suggested Remedies ............................................................................................................... 14
By: Dr. Roslyn Layton, Co-Founder, China Tech Threat; Visiting Scholar, American Enterprise Institute;
Visiting Researcher, PhD Fellow, Center for Communications, Media and Information Technologies,
Aalborg University
Page 3
1
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
EXECUTIVE SUMMARY:
American policymakers and media have widely covered the controversy over Chinese-owned and
affiliated technology companies Huawei Technologies Company (Huawei) and ZTE Corporation (ZTE)
in recent years, but other Chinese corporations present similar threats to US national security. In July
2019 the Department of Defense Inspector General highlighted some $33 million in purchases by the
Pentagon of commercial off the shelf (COTS) Lexmark and Lenovo products, which have been noted on
the National Vulnerability Database because of security deficiencies. Like Huawei and ZTE, Lexmark
and Lenovo are Chinese-owned and banned by multiple military and intelligence agencies in the U.S. and
around the globe. This paper expands on these concerns by exploring the threats present within state
governments with the purchase of Lexmark and Lenovo products.
Key findings:
1. Chinese information technology vendors that have been banned from US military and intelligence
networks still contract with state governments. Once the products from these vendors are installed,
they can access sensitive personal and financial information held by courts, police departments,
elections departments, education departments, children and family services, and other social
service providers and agencies.
2. A sample of publicly-available contracts negotiated between state governments and Chinese
technology vendors shows that information transmitted on the vendors’ equipment is now subject
to collection, transfer, processing and inspection by the vendor, and could be transferred to any
country where the vendor does business and to any entity with whom it works. For example, one
US sales agreement with technology manufacturer Lenovo states that data can collected on
devices can be transferred to any country where Lenovo does business In any event, China’s 2017
National Intelligence Law compels this.
3. The National Association of State Procurement Officers (NASPO) frequently negotiates contracts
on behalf of its members. However, security is not a parameter of NASPO’s evaluations. While
federal policy directs information security for federal agencies, states must determine their own
information security standards. NASPO’s collective contract with Lenovo was initiated in 2015
and ends in March 2020; Lexmark’s collective agreement with organization ends in 2021.
Page 4
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
2
BACKGROUND:
At the federal level, Chinese government-owned vendors Huawei and ZTE have been restricted from US
federal government installations and commercial telecommunication networks because backdoors in the
equipment could enable espionage, surveillance, or sabotage.1 US states are also vulnerable to these and
other Chinese vendors. Federal policy highlights that Chinese-owned technology firms present threats to
national security. In addition to Huawei and ZTE, Section 889(f)(3) of the 2019 NDAA prohibits US
military purchase of video surveillance and telecommunications equipment produced by Hytera
Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology
Company or any subsidiary or affiliate of such entities.2 The Department of Commerce’s Entity List and
National Vulnerability Database list additional Chinese controlled technology firms identified for the
vulnerabilities embedded within their products.3
The Federal Communications Commission adopted rules that prohibit monies from Universal Service
Fund, about $9 billion annually, to be used on vendors and equipment that pose a national security risk.4
Those risks include but are not limited to surveillance, denial of service attacks, and the loss of integrity
and confidentiality of networks. Huawei and ZTE are noted as covered companies in the order, and the
FCC further moves to require USF recipients to remove and replace equipment from covered companies
as well as to collect information to determine to what extent products and services from such covered
companies exist in networks.5
Cyber incidents have grown exponentially more common in recent years, with the World Economic
Forum listing mass data breaches and cyberattacks as two of the five largest risks facing the world in both
2018 and 2019.6 State governments have a faced the growing trend of cyberattacks in the form of
hacktivism and ransomware attacks on network infrastructure, costing governments millions of dollars
and eroding public confidence in civil institutions.7
With state budgets increasingly stretched, low-priced Chinese technology has gained appeal. However,
there is no systematic way for state procurement officers to determine whether the equipment they
purchase is safe.8 Various federal authorities review the vulnerabilities of Chinese-made information
technology products, but the results of these reviews are either classified, or are not published in a user-
friendly way.
Chinese hardware and software can facilitate the transfer of data to China where it can be collected,
inspected, and processed by the Chinese Communist Party (CCP) and related actors.11 While this can be
done illicitly, the contracts of Lenovo and Lexmark, like other Chinese-owned firms, stipulate as much.
State government information officers rely on organizations such as NASPO to validate procurement
contracts. However, information security is not currently part of NASPO’s responsibility.9 While NASPO
can help a state develop a fiscally responsible procurement contract, it does not necessarily shed light of
the information security of contracted products.10 State procurement officers likely need additional tools
and processes to conduct the information security assessment.
Page 5
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
3
DANGER AHEAD: CHINA’S 2017 INTERNET SECURITY LAW
In 2016 the Chinese Communist Party, through the Standing Committee of the National People’s
Congress, passed the China Internet Security Law which went into effect in June of 2017.12 This law
requires network operators, including all companies headquartered in China, to store select data within
country and allows for Chinese authorities to do ‘spot-checks’ on a company’s network operations.13
These spot checks are conducted in a way that allows for unmitigated access to information stored by
“network operators and critical industry leaders.” The Chinese legislation defines “network” as any
system comprised of computers and related equipment that gathers, stores, transmits, exchanges or
processes information – meaning the law is applicable to nearly all businesses in China that operate their
own email or other data networks.14
Critical sectors are also defined in the law,
encompassing businesses involved in communications,
information services, energy transport, water, financial
services, public services and electronic government
services.15 Any company that is a supplier or partner
with firms in these Chinese business sectors could also
be subject to the law.16
Especially concerning to American business interests is Article 37 of the Chinese Intelligence Law,
requiring network operators in critical sectors to store data within mainland China that is gathered or
produced by any Chinese operator.17
Lenovo and Lexmark, Chinese controlled companies with ownership ties to the Chinese Communist
Party, are subject to the aforementioned cybersecurity law, therefore posing an immense threat to Western
users of these technology products. The transfer and storage of consumer data to mainland China
introduces American users to the possibility of Chinese government data collection, compromising the
data security and privacy of millions of Americans.
MILITARY AND INTELLIGENCE BANS OF LENOVO AND LEXMARK PRODUCTS
In 2019, the Department of Defense Office of the Inspector General released an audit regarding the
purchase of Commercial Off-the-Shelf (COTS) items by employees and the security ramifications of
those purchases.18 Referenced in that report was the purchasing of Lenovo laptops and Lexmark printers,
COTS items with histories of security vulnerabilities exploitable by a technological adversary like the
Chinese Communist Party (CCP).19
Lenovo has drawn scrutiny for its integration into defense infrastructure in the United States, as the US
Air Force20 raised concerns about Lenovo computers and the US Navy has banned the products from its
platforms for more than ten years. After the installation of Lenovo servers onboard naval ships, the Navy
decided to rid the defense craft of the equipment for fears of cyber-breach.21
Lexmark has been the subject of various reports regarding cyber threats and espionage risk, with the
printer company facing allegations from various technology experts and conglomerates regarding
adversarial use of the company’s printers as a medium for cyber intrusion.22 Printers, one of the least
secure Internet of Things devices, store sensitive data on internal hard drives derived from the various
printing jobs executed on a day-to-day basis. This sensitive data can be accessed through various software
vulnerabilities in the printer, making sensitive documentation visible to adversaries and foreign actors.
“… the China Internet Security Law …
requires network operators, including
all companies headquartered in China,
to store select data within country and
allows for Chinese authorities to do
‘spot-checks’ on a company’s network
operations.”
Page 6
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
4
LENOVO’S CHINESE COMMUNIST PARTY CONNECTIONS AND SUSPECT PRODUCT INSECURITIES
Lenovo is the world’s largest manufacturer of personal computers, growing from a two-room security
guardhouse in 1984 to a global company today with headquarters in China and US headquarters in
Morrisville, North Carolina.23 What has become Lenovo today was founded in China in 1984 by Chinese
computer scientist Liu Chuanzi and ten of his colleagues. The company was originally named New
Technology Developer Inc., changing its name soon after founding to Legend Holdings.24 Legend
Holdings still exists today as the capital investing arm of Lenovo and is a stakeholder in other Chinese
technology firms, such as Lexmark.25
Lenovo received funding, in the amount of $25,000, from the Chinese Academy of Sciences which
operates 100 research institutions in China responsive to Beijing’s direction and planning. In 1984 China
was very much a “planned economy,” with business loans from the government rare as the state held tight
control over industry and production.26 The Chinese Academy of Sciences is considered by the USCC to
be a nationally directed infrastructure of institutions, seeking to obtain technology from foreign firms in
key scientific areas that often have military applications.27 This prioritization of foreign technology
acquisition can be seen directly in Lenovo’s history, as the company has moved to purchase PC, server
and mobile communications divisions from major American corporations.28
Lenovo gained position as an international computer hardware market competitor in 2005 with the
company’s purchase of IBM’s ThinkPad division. Relatively unknown in the global marketplace before
the purchase, Lenovo found itself among major players in the technology sphere, relying on the brand and
name recognition of its newly acquired ThinkPad product line to compete for government contracts.29
Shortly after the acquisition, the United States Department of State moved to purchase Lenovo laptops for
employees.32 Congressman Frank Wolf, a critic of the IBM-Lenovo deal, quickly moved to ensure the
State Department understood the risks associated with using the Chinese-made machines. Congressman
Wolf stated in a later interview that, “They (State Department) were not able to cancel the purchases but
made sure that none of them were used for anything.”33
The 2019 Department of Defense IG report referenced the persisting vulnerabilities present in Chinese
technology, including the well-known Superfish software that was pre-installed on Lenovo laptops sold in
the United States in 2014.34 This software billed itself as a medium for advertisement targeting, but in
reality served as an information aggregator to identify user trends, surveil user credentials and funnel user
data to data storage centers on the Chinese mainland. Various technology news outlets referenced this
bloatware as the most serious breach of user trust of the decade, with the Federal Trade Commission
eventually investigating the software, fining Lenovo $3.5 million for the attempted data siphoning.35
In fact, Lenovo has a history of chronic and persisting vulnerabilities in their consumer products, with
eight vulnerabilities documented over the past decade alone. These vulnerabilities have occurred in
products ranging from personal computers to smart watches, many times compromising personal privacy
and security.
Page 7
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
5
At least eight such vulnerabilities have been revealed in the past five years, including:36,37,37,39,40,41,42,43,44
“High severity” security vulnerability left users of
specific network-attached storage devices with
data exposed to anyone who went looking for it.
Page 8
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
6
LEXMARK’S CHINESE COMMUNIST PARTY CONNECTIONS AND SUSPECT PRODUCT INSECURITIES
While Lexmark’s US operations are based in Lexington, Kentucky, the company is owned by a Chinese
conglomerate including investing firms Apex, PAG Asia Capital and Legend Holdings.45 Lexmark was
acquired by the Chinese consortium in 2016 for $3.6 billion in the largest acquisition in the global printer
industry.46 Lexmark management cited the sale as a catalyst for future growth, as the company, through
the new ownership, would be able to break into the lucrative Chinese market.47
Lexmark’s connection to the Chinese government is something that has been well documents by
government agencies and US courts. In a landmark case, hardware vendor Iron Bow Technologies sued
the Social Security Administration (SSA) after SSA leadership concluded the Lexmark printers sold by
Iron Bow posed too great a security risk to government networks.48
The Social Security Administration, determined to mitigate supply chain risks in procurement practices,
decided that printers manufactured by Lexmark presented an unacceptable level of supply chain risk due
to the company’s Chinese ownership and ties to the Chinese government.49
In a case heard before the Court of Federal Claims, the SSA reasoned that printers connected to the
agency’s virtual private network (VPN) could be used to siphon sensitive data. This argument was met
with stiff resistance from Iron Bow, countering the SSA’s points by stating a) Lexmark printers are
already in use within the Federal Government; 2) Lexmark’s acquisition by the Chinese was reviewed and
approved by the Federal Government under the Committee on Foreign Investment in the United States,
with a requirement that a national security agreement be signed in conjunction with the purchase; and 3)
that Lexmark’s Chinese owners with ties to the Chinese Government were minority owners.50
The Court of Federal Claims ruled in favor of the SSA, stating that the CFIUS agreement with Lexmark
does not address supply chain risks and that Lexmark’s 49% minority ownership was enough to pose a
national security risk.51
Lexmark has a history of software vulnerabilities in its printers, with the company cited 20 times for
cybersecurity vulnerabilities by cyber research firm CVE.87 The vulnerabilities included the storing and
transmitting of sensitive network credential in plain text, absent standard encryption practices used to
protect such information. The Department of Defense Inspector General stated that the vulnerabilities
presented by the inclusion of Lexmark printers in government networks could allow for remote attackers
to conduct cyberespionage or launch a denial of service attack on a Department of Defense Network.88
The Lexmark story is a case study for state and federal procurement officials. Lexmark, a company owned
by Chinese financial firms, was proven in court to be corrupted by the Chinese government to the point of
exclusion from the Social Security Administration’s IT network.52
Also shown in the case of Lexmark is the danger of Chinese capital flowing into the American tech
sector, as well-known brands can be purchased by foreign adversarial governments absent the knowledge
of the general public. By purchasing Lexmark in 2016, Chinese investors, included those tied to the CCP
and Chinese Academy of Sciences, have inserted Chinese technology into numerous sensitive government
networks.
Similarly, Lexmark hardware has carried a series of security flaws in recent years, with the company’s
printers being the subject of multiple technical beaches.53 The National Vulnerabilities Database lists 20
cybersecurity vulnerabilities for Lexmark, including storing and transmitting sensitive network access
Page 9
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
7
credentials in plain text and allowing the execution of malicious code on the printer.54 The 2019 DoD
Inspector General Audit stated, “These vulnerabilities could allow remote attackers to use a connected
Lexmark printer to conduct cyberespionage or launch a denial of service attack on a Department of
Defense Network.”55
After the release of the DoD IG Report, Lexmark released a statement saying that each Lexmark hardware
issue referenced in the report had been fixed, and also called the characterization of the company in the
report “unfair.”56 This response from the company does little to reconcile the security threats posed to
sensitive government and private sector networks by the Chinese manufacturer.
STATES HAVE NO STANDARD PROCESS TO EVALUATE INSECURE TECHNOLOGY
As explained above, federal policymakers in the United States have long focused on curtailing the
security threats posed by Chinese-owned technology through federal regulation, neglecting the threat
posed to state and local governments by malign equipment. Congress and federal agencies have given
necessary attention to Chinese threats, with agencies ranging from the Department of Commerce to the
United States China Economic Security Review Commission releasing recommendations and guidelines
pertaining to Chinese equipment. Lost in the policy mix, however, have been state and local governments,
giving Chinese manufacturers the opportunity to win massive state procurement contracts unbridled by
federal government oversight.
The leading state procurement conglomerate, the National
Association of State Procurement Officers, is regarded as
the “gate keeper” for state government purchasing across
the United States. NASPO’s ValuePoint portal notes its
abilities to provide, “the highest standard of excellence in
public cooperative contracting, leveraging the leadership
and expertise of all states and the purchasing power of their public entities.”57 ValuePoint states that its
platform provides the “highest valued, reliable and competitively sourced contracts – offering public
entities outstanding prices.”
Not accounted for by NASPO, or its ValuePoint procurement portal, are the security vulnerabilities
existing in the products and contracts offered. By branding itself as the leading and most trusted vendor
portal for state procurement officers, NASPO and ValuePoint could create a false sense of security among
state officials purchasing equipment through and outside of their portals, ending in the procurement of
state equipment from vendors with known and documented security vulnerabilities. By condoning the
purchasing of these products, NASPO could unknowingly be increasing the volume of compromised
technology purchased and used across member and non-member states. Indeed many state procurement
officers, trusting the valuable work of NASPO in the past, likely assume that NASPO performs
cybersecurity review even though it does not.
Certain vendors contracting with state governments through NASPO, like Lenovo and Lexmark, are
banned by federal agencies – but still available for purchase by state level entities. This lack of continuity
between state and federal officials and agencies has resulted in the widespread purchasing of
compromised equipment at the state level, mostly for the sake of price, leaving citizen data at the behest
of foreign actors seeking access to American data.
“Certain vendors contracting with state
governments through NASPO, like
Lenovo and Lexmark, are banned by
federal agencies – but still available for
purchase by state level entities.”
Page 10
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
8
EXISTING STATE CONTRACTS JEOPARDIZE SENSITIVE INFORMATION
Even while federal oversight and defense agencies warn against the use of Lenovo and Lexmark
equipment in cyber networks, states governments continue to purchase from both companies. Our
findings show that states purchase from Lexmark and Lenovo either through NASPO, the state purchasing
conglomerate, or directly from the companies.
NASPO negotiated contract templates for 33 states with Lenovo58 for computer equipment or servers.
Among those 33, 10 have additional contracts with Lexmark for printers, copiers or print services.59
However, of the 17 states outside of the NASPO agreement, more than half also have purchased
equipment directly. Furthermore, we have verified state purchases for either company’s products in a
dozen states; that spending is summarized on the following pages.
Vendor General Description Initial Year Participating States
Lenovo US Computers and equipment60 2015 32
Lenovo Global Storage / servers61 2017 12
Lexmark Managed print services62 2019 5
Lexmark Copiers and managed print63 2016 6
State Government Contracts with Lenovo and Lexmark
Page 11
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
9
Among the state agencies contracting with Chinese controlled firms are state Supreme Courts,
Departments of Health, Departments of Corrections and other law enforcement agencies, Education
Departments, agencies responsible for developing IT policies and distributing IT products, and others.
These state agencies are responsible for the processing
and storage of some of the most private and leveragable
data in the public sphere, and the introduction of malign
equipment into these departments fosters unacceptable
vulnerabilities .64
NASPO’s 2015 agreement with Lenovo includes Terms
and Conditions – section 7.4 titled “Customer
Information” – stipulating that customer data can be
transferred, stored and disclosed in any country where
such action is required by law.65
Given the passage of China’s dangerous 2017 National Intelligence Law, the terms and conditions permit
the storage of data in China and the disclosure of that data to the Chinese Communist Party upon
request.66 While such a clause in contracting may be commonplace by Chinese-owned vendors, there is
no reason why American data should be brought to China.
This access to citizen and government data is priceless in the hands of an adversarial government, creating
a network of machines capable of delivering vast amounts of American data unabridged by court orders
and legal proceedings. This access gives Chinese officials the ability to monitor and aggregate sensitive
government data on American citizens – in real time.
Though the details made public about procurement and vendor payments vary among the states, available
records show how Lenovo and Lexmark hardware infiltrated a myriad of state agencies, potentially
exposing sensitive information of American government employees and private citizens.67
The next section of this paper explores case studies from Wisconsin and Arkansas, but details on several
more states are readily available in Delaware, Florida, Hawaii, Massachusetts, New York, Ohio,
Oklahoma, Rhode Island, Tennessee and West Virginia. Additionally, many more states hold contracts
with Lexmark and/or Lenovo, but spending with the companies is unknown, including Georgia, Indiana,
Michigan, Mississippi, Pennsylvania, and Texas.
Delaware: Since 2015, Delaware has spent over $175,000 on Lenovo equipment, with over
$118,000 on computers in primary schools.68 Other agencies spending public funds on Lenovo
hardware include the state Superior Court, state Family Court and Department of Services for
Children, Youth and their Families. Since 2016, the Department of Transportation and
Delaware State University spent $67,884 on Lexmark products and services.69
Florida: Since 2015, Florida agencies made over $863,000 in vendor payments to Lenovo.
The agencies that spent the most on the company’s services were the Department of Health
($391,885); Justice Administration ($199,684); Agency for Healthcare Administration
($121,607); Department of Corrections ($63,807); Environmental Protection ($25,686);
Agency for State Technology ($23,571); and the Department of Law Enforcement ($14,198).
“Among the state agencies contracting
with Chinese controlled firms are state
Supreme Courts, Departments of
Health, Departments of Corrections
and other law enforcement agencies,
Education Departments, agencies
responsible for developing IT policies
and distributing IT products, and
others.”
Page 12
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
10
Since 2016, the state made over $92,000 in vendor payments to Lexmark, from the
Department of Highway Safety and Motor Vehicles, the State Courts System and the
Department of Financial Services.70,71
Hawaii: The Hawaii Health Care Systems Corporation is authorized to spend $112,038 on
Lenovo hardware and maintenance between May 1, 2019 and April 30, 2020.
Massachusetts: Since 2015 the Bay State has spent approximately $5 million on Lenovo
products, including $4.4 million in purchases made by the Department of Transportation.72
New York: Home to the world’s largest financial institutions as well as the New York Stock
Exchange, the state currently possesses more than $46 million73 in contracts with Lenovo
($2,605,000 spent) and $16 million74 ($785,000) with Lexmark. The high-volume of Chinese
equipment in state data systems presents significant risk to the data security of US and
international financial markets and all New Yorkers.
Ohio: Last year Ohio paid75 Lenovo $78,610. Dating back to 2015, the state spent $182,720
on Lexmark services.
Oklahoma: In 2019 alone, the Office of Management and Enterprise Services – the agency
responsible for providing finance, property, human resources and technology services to other
state offices – made $273,959 in payments to Lenovo.76
Rhode Island: Since 2015, the state has made $102,239 in vendor payments77 to Lenovo,
nearly all of money has been spent by the Office of the Public Defender ($46,259), and the
Office of the Secretary of State ($46,137), the agency responsible for ensuring “elections are
fair, fast and accurate.”78
Tennessee: Lenovo provides laptops to state students as part of the Tennessee Department of
Education’s Laptop Rental Program.79
West Virginia: Beginning in 2014, West Virginia paid more than $500,000 for Lenovo
products, mostly by state universities, while also spending $70,000 on Lexmark products.80
Page 13
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
11
CASE STUDY 1 – LENOVO IN WISCONSIN
Background:
The State of Wisconsin, a signee of the NASPO ValuePoint Contract
MNWNC-117 (Bands 1,2,3) and MNWNC-135 (Bands 4,5) 2015-2020
Computer Equipment, Peripherals, & Related Devices, purchased $93,399.23 of
Lenovo equipment in FY 2019. There were 5 departments within the state that purchased the equipment,
with the largest purchase being made by the Wisconsin State Supreme Court.81 This Chinese-
manufactured equipment gives access to the Chinese Communist Party into state networks while also
allowing the CCP to access that data upon request as referenced in Section 7.1 of the Lenovo User
Agreement and the 2017 Chinese Cybersecurity Law.
Risks Posed to Wisconsin State Government:
Lenovo, the world’s leading manufacturer of personal computers, is partially owned by the Chinese
Academy of Sciences and compelled to comply with all Chinese cybersecurity laws as a business
operating out of mainland China. Lenovo is also a market leader in the server sector, purchasing IBM’s
x86 server business in 2014.82
By procuring equipment from Lenovo, Wisconsin, state officials could be unwittingly granting access to
citizen data to the Chinese government, as referenced in Section 7.4 of the 2015 Lenovo User Agreement
– the same year NASPO signed a 30+ state contract with the company. This language reads:
7.4 Customer Information. Lenovo and its affiliates may store, use and process contact
information and other information about Customer, including names, phone numbers,
addresses, and e-mail addresses, necessary to perform under this Agreement, including but not
limited to warranty service. Such information will be processed and used in connection with
this Agreement and the Products or Services. It may be transferred by Lenovo to any country
where Lenovo does business; and may be provided to entities acting on Lenovo’s behalf in
relation to this Agreement and the Products or Services. Lenovo may also disclose such
information where required by law.83
Buried in the later subsections of the Lenovo User Agreement, this clause gives the company permission
to send user data back to China, and then disclose that data where required by law. In 2017, the Chinese
government enacted a Cybersecurity Law granting access to network data from Chinese companies upon
request of the Chinese Communist Party. This translates to CCP officials being able to obtain American
consumer data, as Lenovo is compelled by law to share this data with party officials or risk legal
reprimand from the Communist regime.84
Wisconsin Agencies Procuring Lenovo Equipment in 2019 and Purchase Amounts:85
- Department of Employee Trust Funds: $4,294.63
- Elections Commission: $17,431.70
- Court of Appeals: $5,872.00
- Supreme Court: $61,675.00
- Department of Revenue: $6,630.90
Page 14
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
12
Ramifications of Procurement
With Lenovo and Lexmark’s documented security vulnerabilities and a requirement to support the
Chinese government, procurement officials must ask why these devices are allowed, particularly for
computing responsibilities for departments of elections and courts. As the United States finds itself under
attack from foreign actors, notably in its democratic elections, procurement officials should work to
mitigate risk from state networks. Ridding these networks of known malign foreign equipment is a
prudent step.
CASE STUDY 2 – LEXMARK IN ARKANSAS
Background:
Lexmark specializes in the manufacturing of printers and printer hardware.
Lexmark has a strong federal presence, with hardware in federal agencies
ranging from the Department of Defense to the Internal Revenue Service.
Lexmark also has a standing purchasing contract with CDW (tech equipment vendor and wholesaler) and
the General Services Administration (GSA), allowing federal agencies to purchase Lexmark equipment
from an online marketplace. The Lexmark privacy agreement also allows for information to be shared
across national borders, namely with countries in which Lexmark operates – i.e. China, the location of
Lexmark’s holding companies.86
The Lexmark Customer Agreement for Printer and Storage Devices uses language that allows for data
storage, transfer and processing in the United States and “other countries” where Lexmark maintains
facilities. Given the company’s operations in mainland China, Lexmark can store and process data in
China and could be compelled to turn that data over the CCP.
Lexmark Customer Agreement:
- Cross-border transfers: “We are a global organization with offices and customers around the
world. To efficiently manage our business and best serve you, all kinds of data – not just Personal
Data – may be transferred and accessed by Lexmark entities worldwide on the basis of this
Privacy Notice and in alignment with international data privacy standards. We may store, transfer,
and process Personal Data in the United States and other countries where we maintain
facilities. By using our websites or services you consent to any such transfer of information
outside your country.”89
At minimum, the language appears to violate the California Consumer Privacy Act, the new law which,
failing Congressional action, is America’s new de facto privacy standard.90
Page 15
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
13
State Focus: Arkansas
While this paper focuses primarily on NASPO’s agreements with Chinese companies, states do not need
to negotiate through the organization to order Chinese-manufactured equipment. Arkansas is not a signee
to the NASPO agreements with Lexmark, but has negotiated several contracts with the company since
August 2018, which authorizes the state to spend $14,884,440.64; these include two separate $4.1 million
contracts for “copy machines, digital” and two other $3.25 million contracts for “general equipment.”91
Lexmark equipment and services for FY20 have already totaled more than $65,000 including the Office
of Child Support Enforcement ($28,133.12), Department of Corrections ($24,321.70), and Department of
Finance and Administration ($13,109.58). Given the nearly $15 million contracts in place, final spending
tallies at the end of the fiscal year will likely be much higher.92
Besides Lexmark, Arkansas holds 36 contracts with Lenovo totaling $1,282,295. Since 2015, the state has
made over $500,000 in vendor payments to Lenovo, including the Department of Health for more than
$173,000 and $139,000 for the Department of Information Systems. Additional payments have been made
for the Geological Survey, Administrative Office of the Courts, Supreme Court, and the Department of
Education.92
Given the diverse missions of these agencies, their extensive reach, and how they all handle and store
sensitive information, it is not a stretch to say that personal data of Arkansas residents and the data of
enterprises registered in the state is at risk of being transferred to China.
Federal Agency Purchasing of Lexmark Equipment
Besides state agencies, the United States government contracting website, USA Spending, lists both
current and past Lexmark contracts in its online database. These contracts range in transaction amount
from more than $25 million to below $100,000, with agencies procuring the technology listed below.
Department of Defense Department of the Army93 $453,150
Department of the Air Force94 $1,348,374.24
Department of Agriculture Chief Financial Officer95 $7,344,431.72
Social Security Administration Social Security Administration96 $466,369.76
Social Security Administration97 $25,467,857.24
Department of Transportation Immediate Office of the
Secretary of Transportation98
$2,264,956.17
Federal Aviation
Administration99
$464,337.90
National Transportation Safety Board NTSB100 $860,809.95
Department of the Treasury Internal Revenue Service101 $185,000
Page 16
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
14
Procurement Ramifications
Procuring Lexmark equipment introduces systemic risk to government networks. Lexmark printers store
sensitive print and network information on device hard drives and then risk exposing that information via
unencrypted communication with other devices. By procuring Lexmark equipment, federal employees
risk the network security of their departments while also threatening the integrity and functionality of the
greater agency network infrastructure. Procurement officials should note that that denial of service attacks
have been highlighted by the Department of Defense as a risk of using Lexmark equipment.102
SUGGESTED REMEDIES
#1. States Should Review Current Contracts For Security Vulnerabilities
To rid networks of persisent threats from malign Chinese technology and to ensure safety and security,
states should review existing contracts with Chinese-owned vendors and assess the risks and
vulnerabilities they pose. For example, what kind of liabilities would states face if sensitive data is
compromised? Moreover how will state residents, businesses, and other organizations react when they
learn that their valuable information can be transferred to China?
State procurement officials are gatekeepers to the data and privacy of the citizens and public entities under
their purview and must understand and address the risks associated with the purchasing and use of
Chinese equipment from Lenovo and Lexmark. While devices like laptops and printers seem innocuous to
the average user, these network components can serve as springboards for foreign governments to spy on
American citizens, collect sensitive information, and influence democratic elections. The first step in
mitigating the risk associated with Chinese equipment is to take the equipment out of American networks,
replacing it with trusted products. Moreover, states should reject any contract terms that allow the
expropriation of data. There is no justification for data collected by US states to be shared with the
Chinese government under any circumstances.
#2. NASPO Should Consider Incorporating Cybersecurity Evaluations into its Offering or Clarify its Role
As the standard-bearer and leading state procurement conglomerate in the United States, the National
Association of State Procurement Officers (NASPO) should lead the way in mitigating the threat posed to
public entities procuring IT products. This begins with NASPO leaders incorporating security
vulnerabilities into the contracting process. This could include partnering with federal agencies like the
Department of Commerce or Department of Homeland Security’s Cybersecurity & Infrastructure Security
Agency (CISA) to develop for recommendations for assessing the security of products. This is especially
important as NASPO renegotiates national purchasing contracts. Lenovo’s state purchasing agreement
with NASPO expires in March of 2020; Lexmark in 2021.
NASPO helps state procurement officials use resources wisely and improve procurement negotiation.
NASPO should remind its members that cybersecurity evaluation is a separate function not included in
the NASPO review. Given NASPO’s experience and credibility with its members, developing
competence in the information security assessment domain would add value to its members.
Page 17
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
15
Page 18
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
16
Works Cited:
1. Tracy, R. (2019, November 22). FCC Deals Blow to Huawei and ZTE, Cuts Off Telecom Subsidies. Retrieved from
https://www.wsj.com/articles/fcc-deals-blow-to-huwaei-and-zte-cuts-off-telecom-subsidies-11574443335
2. Thornberry, M. (2018, August 13). Text - H.R.5515 - 115th Congress (2017-2018): John S. McCain National Defense Authorization Act for Fiscal
Year 2019. Retrieved from https://www.congress.gov/bill/115th-congress/house-bill/5515/text
3. U.S. Department of Commerce Adds 28 Chinese Organizations to its Entity List. (2019, October 7). Retrieved from
https://www.commerce.gov/news/press-releases/2019/10/us-department-commerce-adds-28-chinese-organizations-its-entity-list
4. Tracy, R. (2019, November 22). FCC Deals Blow to Huawei and ZTE, Cuts Off Telecom Subsidies. Retrieved from
https://www.wsj.com/articles/fcc-deals-blow-to-huwaei-and-zte-cuts-off-telecom-subsidies-11574443335
5. Ibid
6. Myers, J., & Whiting, K. (2019, January 16). These are the biggest risks facing our world in 2019. Retrieved from
https://www.weforum.org/agenda/2019/01/these-are-the-biggest-risks-facing-our-world-in-2019/
7. Insitute, I. S. (n.d.). What Are The Biggest Security Threats To State And Local Governments? Retrieved from
https://resources.infosecinstitute.com/category/enterprise/securityawareness/security-threats-by-industry/security-threats-to-state-local-
governments/#gref
8. Nash-Hoff, M. (2011, August 18). Viewpoint: Why is China Cheaper? Retrieved from https://www.industryweek.com/the-
economy/environment/article/21955887/viewpoint-why-is-china-cheaper
9. Who We Are. (2020). Retrieved from https://www.naspo.org/About-Us/Who-We-Are
10. Ibid
11. Lenovo Sales Agreement . (n.d.). Retrieved from https://www.lenovo.com/medias/Sales-Terms-and-Conditions-
US.html?context=bWFzdGVyfHJvb3R8MTMzNzV8dGV4dC9odG1sfGg3MC9oYWMvOTQ0MTA1NTgwMTM3NC5odG1sfDgwM2RjYzkxMz
NhYWYzOTJiNGEwZjU1ZjFhMWZkOGM5M2JhYzVmYTkwNzQ2OTk0ZWE5NjVkOWZiMWYwNzdhZmE
12. Creemers, R., Triolo, P., & Webster, G. (2018, June 29). Translation: Cybersecurity Law of the People's Republic of China (Effective June 1,
2017). Retrieved from https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-cybersecurity-law-peoples-republic-china/
13. Ibid
14. Ibid
15. Ibid
16. Wu, H. (2016, December 4). Final Passage of China's Cybersecurity Law. Retrieved from https://globalcompliancenews.com/final-passage-chinas-
cybersecurity-law-20161204/
17. Creemers, R., Triolo, P., & Webster, G. (2018, June 29). Translation: Cybersecurity Law of the People's Republic of China (Effective June 1,
2017). Retrieved from https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-cybersecurity-law-peoples-republic-china/
18. Audit of the DoD’s Management of the Cybersecurity Risks for Government Purchase Card Purchases of Commercial Off-the-Shelf Items DODIG-
2019-106. (2019, July 30). Retrieved from https://www.dodig.mil/reports.html/Article/1920236/audit-of-the-dods-management-of-the-
cybersecurity-risks-for-government-purchase/?_sm_au_=iVV0tD0fjsFkZHNM01TfKK3Qv3fc4
19. Ibid
20. Gertz, B. (2016, October 24). Military Warns Lenovo Poses Cyber Spy Threat. Retrieved from https://freebeacon.com/national-security/military-
warns-chinese-computer-gear-poses-cyber-spy-threat/
21. Muncaster, P. (2015, May 7). US Navy Looks to Dump Lenovo Servers on Security Concerns – Report. Retrieved from https://www.infosecurity-
magazine.com/news/us-navy-dumps-lenovo-servers/
22. Details, C. V. E. (2019). Lexmark : Security Vulnerabilities. Retrieved from https://www.cvedetails.com/vulnerability-
list.php?vendor_id=683&product_id=0&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=
0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&cweid=0&order=1&trc=31
&sha=97669f68b03c99a5cebcc8d0d0022600b1ecd781
23. Sarokin, D. (2019, February 11). The History of Lenovo. Retrieved from https://bizfluent.com/info-8081800-history-lenovo.html
24. Ibid
25. Newswire, P. R. (2016, November 29). Lexmark announces completion of acquisition by Apex Technology and PAG Asia Capital. Retrieved from
https://newsroom.lexmark.com/2016-11-29-Lexmark-announces-completion-of-acquisition-by-Apex-Technology-and-PAG-Asia-Capital
26. Sarokin, D. (2019, February 11). The History of Lenovo. Retrieved from https://bizfluent.com/info-8081800-history-lenovo.html
27. Ibid
28. Holdings, L. (n.d.). Legend Holdings" Company History. Retrieved from http://www.legendholdings.com.cn/History_en/index.aspx?nodeid=1044
29. Bajarin, T. (2015, May 4). How Lenovo Became a Global PC Powerhouse After IBM Deal. Retrieved from https://time.com/3845674/lenovo-ibm/
30. Ibid
31. Ibid
32. Gross, G. (2006, May 19). U.S. State Department to limit use of Lenovo PCs. Retrieved from https://www.computerworld.com/article/2545522/u-s-
-state-department-to-limit-use-of-lenovo-pcs.html
33. Bartz, D. (2014, January 31). Experts predict Lenovo's U.S. buys will pass regulatory muster. Retrieved from https://www.reuters.com/article/us-
motorolamobility-lenovo-regulation-idUSBREA0U06C20140131
34. Audit of the DoD’s Management of the Cybersecurity Risks for Government Purchase Card Purchases of Commercial Off-the-Shelf Items DODIG-
2019-106. (2019, July 30). Retrieved from https://www.dodig.mil/reports.html/Article/1920236/audit-of-the-dods-management-of-the-
cybersecurity-risks-for-government-purchase/?_sm_au_=iVV0tD0fjsFkZHNM01TfKK3Qv3fc4
35. Lenovo Settles FTC Charges it Harmed Consumers With Preinstalled Software on its Laptops that Compromised Online Security. (2017, December
29). Retrieved from https://www.ftc.gov/news-events/press-releases/2017/09/lenovo-settles-ftc-charges-it-harmed-consumers-preinstalled
Page 19
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
17
36. Rubin, B. F. (2017, September 5). Lenovo settles with the feds over Superfish adware issue. Retrieved from https://www.cnet.com/news/lenovo-
settles-on-superfish-adware-will-pay-3-5-million/
37. Winder, D. (2019, July 18). Lenovo Confirms 36TB Data Leak Security Vulnerability. Retrieved from
https://www.forbes.com/sites/daveywinder/2019/07/17/lenovo-confirms-36tb-data-leak-security-vulnerability
38. Whittaker, Z. (2019, February 11). Lenovo Watch X was Riddled With Security Bugs, Researcher Says . Retrieved from
https://techcrunch.com/2019/02/11/lenovo-watch-x-security-bugs/
39. Coppock, M. (2018, January 30). https://www.digitaltrends.com/computing/lenovo-fingerprint-manager-pro-
vulnerable/?_sm_au_=iVVj67715fn2cDnc. Retrieved from https://www.digitaltrends.com/computing/lenovo-fingerprint-manager-pro-vulnerable/
40. Wiggers, K. (2017, August 1). How to keep yourself safe from Chinese spyware on budget Android phones. Retrieved from
https://www.digitaltrends.com/mobile/kryptowire-adups-news/
41. Osborne, C. (2016, June 2). Lenovo begs users to uninstall Accelerator app in the name of security. Retrieved from
https://www.zdnet.com/article/lenovo-begs-users-to-uninstall-accelerator-app-in-the-name-of-security/
42. George, A. (2019, August 26). Your Lenovo laptop may have a serious security flaw. Retrieved from
https://www.digitaltrends.com/computing/lenovo-laptops-security-flaw/
43. Commission, F. T. (2017, December 29). Lenovo Settles FTC Charges it Harmed Consumers With Preinstalled Software on its Laptops that
Compromised Online Security. Retrieved from https://www.ftc.gov/news-events/press-releases/2017/09/lenovo-settles-ftc-charges-it-harmed-
consumers-preinstalled
44. Philipp, J. (2015, September 9). Spy Software Found Preinstalled on Lenovo, Huawei, and Xiaomi Smartphones. Retrieved from
https://www.theepochtimes.com/spy-software-found-pre-installed-on-lenovo-huawei-and-xiaomi-smartphones_1748900.html
45. Chinese firms take over printer giant Lexmark. (2016, December 13). Retrieved from https://www.chinadaily.com.cn/business/2016-
12/13/content_27658491.htm
46. Lexmark announces completion of acquisition by Apex Technology and PAG Asia Capital. (2016, November 29). Retrieved from
https://newsroom.lexmark.com/2016-11-29-Lexmark-announces-completion-of-acquisition-by-Apex-Technology-and-PAG-Asia-Capital
47. Chinese firms take over printer giant Lexmark. (2016, December 13). Retrieved from https://www.chinadaily.com.cn/business/2016-
12/13/content_27658491.htm
48. Federal Claims, U. S. C. of. (2018, March 27). Pre-Award Bid Protest; Judgment Upon the Administrative Record; RCFC 52.1; Supplementing the
Administrative Record; Permanent Injunction. . Retrieved from https://federalnewsnetwork.com/wp-content/uploads/2018/05/ssa-supply-chain-
court-case-march-2018.pdf
49. Ibid
50. Ibid
51. Miller, J. (2019, January 23). SSA bid protest win demonstrates power of acquisition to protect the supply chains. Retrieved from
https://federalnewsnetwork.com/reporters-notebook-jason-miller/2018/05/ssa-bid-protest-win-demonstrates-power-of-acquisition-to-protect-the-
supply-chains/
52. Ibid
53. Spring, T. (2017, December 18). User 'Gross Negligence' Leaves Hundreds of Lexmark Printers Open to Attack. Retrieved from
https://threatpost.com/user-gross-negligence-leaves-hundreds-of-lexmark-printers-open-to-attack/129187/
54. Database, N. V. (2019, February 11). CVE 2019-6489 Detail. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2019-6489
55. Audit of the DoD’s Management of the Cybersecurity Risks for Government Purchase Card Purchases of Commercial Off-the-Shelf Items DODIG-
2019-106. (2019, July 30). Retrieved from https://www.dodig.mil/reports.html/Article/1920236/audit-of-the-dods-management-of-the-
cybersecurity-risks-for-government-purchase/?_sm_au_=iVV0tD0fjsFkZHNM01TfKK3Qv3fc4
56. Briefings, A. (2019, August 2). Lexmark Comments on DoD Reports Claiming Its Printers Pose Security Risk. Retrieved from https://www.action-
intell.com/2019/08/02/lexmark-comments-on-dod-report-claiming-its-printers-pose-security-risk/
57. Point, N. A. S. P. O. V. (n.d.). NASPO Value Point: How It Works . Retrieved from - https://www.naspovaluepoint.org/#/page/How-it-Works
58. WELCOME TO THE LENOVO SITE FOR NATIONAL ASSOCIATION FOR STATE PROCUREMENT OFFICIALS. (n.d.). Retrieved from
https://solutions.lenovo.com/naspo/
59. NASPO Managed Print Services 2016-2021. (n.d.). Retrieved February 1, 2020, from https://www.naspovaluepoint.org/portfolio/managed-print-
services-2016-2021/
60. https://www.naspovaluepoint.org/portfolio/computer-equipment-peripherals-related-services-2015-2020/lenovo-united-states-inc/
61. https://www.naspovaluepoint.org/portfolio/computer-equipment-peripherals-related-services-2015-2020/lenovo-global-technology/
62. https://www.naspovaluepoint.org/portfolio/copiers-managed-print-services-2019-2024/lexmark-international-inc/
63. https://www.naspovaluepoint.org/portfolio/managed-print-services-2016-2021/lexmark-international-inc/
64. Open Book Winsconsin. (n.d.). Retrieved January 6, 2020, from
http://openbook.wi.gov/PurchaseOrderDetail.aspx?AgencyCode=680&TransactionNumber=0000000296&ProviderCode=0239d537-902c-4a00-
b2ad-c30c8f1a9f20&ContractId=505ENT-O16-NASPOCOMPUT-
13#&&aGkjSsKEmJhEFqJgx7RzVvazW18BitPrS7n2VpJESs8iEDdGqKRy3LxuHHqL0QuvmN4Wpx dL3zkbw o
ArhhO2s6cWLJ9KLlzJS7REO414IJ cfw81z2dEXWXZTb2y7F/i6p oKJYlPUFKlMzFGJw==
65. Lenovo Sales Agreement . (n.d.). Retrieved from https://www.lenovo.com/medias/Sales-Terms-and-Conditions-
US.html?context=bWFzdGVyfHJvb3R8MTMzNzV8dGV4dC9odG1sfGg3MC9oYWMvOTQ0MTA1NTgwMTM3NC5odG1sfDgwM2RjYzkxMz
NhYWYzOTJiNGEwZjU1ZjFhMWZkOGM5M2JhYzVmYTkwNzQ2OTk0ZWE5NjVkOWZiMWYwNzdhZmE
66. Ibid
67. Data, D. O. (n.d.). Lexmark International Broken Down by Vendor. Retrieved from https://opencheckbook.delaware.gov/#!/year/All
Years/explore/0-/vendor/LEXMARK INTERNATIONAL INC/1-/department
State/Federal Contract Data:
68. https://opencheckbook.delaware.gov/?_sm_au_=iVVzrM50fpPT5ssP01TfKK3Qv3fc4#!/year/All%20Years/explore/0-/vendor/LENOVO+INC/0-
/department
69. https://opencheckbook.delaware.gov/#!/year/All%20Years/explore/0-/vendor/LEXMARK+INTERNATIONAL+INC/1-/department
70. https://fs.fldfs.com/dispub2/newvpymt4.shtml
Page 20
ChinaTechThreat.com Roslyn Layton – [email protected] | John Strand – [email protected]
18
71. https://fs.fldfs.com/dispub2/newvpymt4.shtml
72. https://hands.ehawaii.gov/hands/awards/award-details/159715?_sm_au_=iVVzrM50fpPT5ssP01TfKK3Qv3fc4; http://massopenbooks.org/vendor-
payments/
73. https://wwe2.osc.state.ny.us/transparency/contracts/contractsearch.cfm
74. https://wwe2.osc.state.ny.us/transparency/contracts/contractsearch.cfm
75. https://procure.ohio.gov/proc/currentContractsResults.asp?t1=0&t2=0&t3=0&CN=&IN=&SK=&CMPT=All&MT=All&KST=All%20Words&CT=ALL&CSTAT=ALL&SDT=0&SD=&ED=&CMPN=Lenovo&CTT=All%20Contract%20Types%20/%20Methods&SDTT=-
%20Select%20Type%20-%20&CMPTT=&MTT=&CSTATT=All; http://ohiotreasurer.gov/Transparency/Ohios-Online-Checkbook/Advanced-
Search
76. https://data.ok.gov/dataset/state-oklahoma-vendor-payments-fiscal-year-2019
77. http://www.ripay.ri.gov/VendorPayments.aspx
78. https://www.sos.ri.gov/about-us
79. https://www.tn.gov/education/district-technology/laptop-program.html
80. http://www.transparencywv.org/
81. Open Book Winsconsin. (n.d.). Retrieved January 6, 2020, from
http://openbook.wi.gov/PurchaseOrderDetail.aspx?AgencyCode=680&TransactionNumber=0000000296&ProviderCode=0239d537-902c-4a00-
b2ad-c30c8f1a9f20&ContractId=505ENT-O16-NASPOCOMPUT-
13#&&aGkjSsKEmJhEFqJgx7RzVvazW18BitPrS7n2VpJESs8iEDdGqKRy3LxuHHqL0QuvmN4Wpx dL3zkbw o
ArhhO2s6cWLJ9KLlzJS7REO414IJ cfw81z2dEXWXZTb2y7F/i6p oKJYlPUFKlMzFGJw==
Works Cited (cont.):
82. List of Lenovo's 7 Acquisitions, including Fujitsu - PC business and Marvell Semiconductor. (n.d.). Retrieved from
https://www.crunchbase.com/search/acquisitions/field/organizations/num_acquisitions/lenovo
83. Lenovo Sales Agreement . (n.d.). Retrieved from https://www.lenovo.com/medias/Sales-Terms-and-Conditions-
US.html?context=bWFzdGVyfHJvb3R8MTMzNzV8dGV4dC9odG1sfGg3MC9oYWMvOTQ0MTA1NTgwMTM3NC5odG1sfDgwM2RjYzkxMz
NhYWYzOTJiNGEwZjU1ZjFhMWZkOGM5M2JhYzVmYTkwNzQ2OTk0ZWE5NjVkOWZiMWYwNzdhZmE
84. Ibid
85. Open Book Winsconsin. (n.d.). Retrieved January 6, 2020, from
http://openbook.wi.gov/PurchaseOrderDetail.aspx?AgencyCode=680&TransactionNumber=0000000296&ProviderCode=0239d537-902c-4a00-
b2ad-c30c8f1a9f20&ContractId=505ENT-O16-NASPOCOMPUT-
13#&&aGkjSsKEmJhEFqJgx7RzVvazW18BitPrS7n2VpJESs8iEDdGqKRy3LxuHHqL0QuvmN4Wpx dL3zkbw o
ArhhO2s6cWLJ9KLlzJS7REO414IJ cfw81z2dEXWXZTb2y7F/i6p oKJYlPUFKlMzFGJw==
86. Lexmark announces completion of acquisition by Apex Technology and PAG Asia Capital. (2016, November 29). Retrieved from
https://newsroom.lexmark.com/2016-11-29-Lexmark-announces-completion-of-acquisition-by-Apex-Technology-and-PAG-Asia-Capital
87. Details, C. V. E. (2019). Lexmark : Security Vulnerabilities. Retrieved from https://www.cvedetails.com/vulnerability-
list.php?vendor_id=683&product_id=0&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=
0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&cweid=0&order=1&trc=31
&sha=97669f68b03c99a5cebcc8d0d0022600b1ecd781
88. Ward, K. (2019, August 2). Federal audit: Remote attackers could ‘use a connected Lexmark printer to conduct cyberespionage.’ Retrieved from
https://www.kentucky.com/news/business/article233458527.html
89. International, L. (n.d.). Lexmark US Terms and Conditions: Privacy Notice . Retrieved from https://www.lexmark.com/en_us/privacy-policy.html
90. Becerra, X. (n.d.). California Consumer Privacy Act (CCPA). Retrieved from https://oag.ca.gov/privacy/ccpa
91. https://www.ark.org/dfa/transparency/contracts.php?ina_sec_csrf=ad9c08249a3d928802fc8b8c71c84a05&do:contracts&tab=byvendor
92. https://www.ark.org/dfa/transparency/vendor_summary.php?vendor=LENOVO+UNITED+STATES+INC
93. https://www.usaspending.gov/#/award/38399899
94. https://www.usaspending.gov/#/award/38399899
95. https://www.usaspending.gov/#/award/9276950
96. https://www.usaspending.gov/#/award/2049793
97. https://www.usaspending.gov/#/award/1647529
98. https://www.usaspending.gov/#/award/8209476
99. https://www.usaspending.gov/#/award/87385417
100. https://www.usaspending.gov/#/award/27336452
101. https://www.usaspending.gov/#/award/CONT_AWD_TIRNO09K00159_2050_GS35F0789J_4730
102. NASPO ValuePoint Lexmark Contract Information. (n.d.). Retrieved January 25, 2020, from https://www.naspovaluepoint.org/portfolio/copiers-
managed-print-services-2019-2024/lexmark-international-inc/